No description
9ba35fe8c2
Policy developers can set a default_range default to glblub and computed contexts will be the intersection of the ranges of the source and target contexts. This can be used by MLS userspace object managers to find the range of clearances that two contexts have in common. An example usage is computing a transition between the network context and the context of a user logging into an MLS application. For example, one can add a default with this cil: (defaultrange db_table glblub) or in te (base module only): default_range db_table glblub; and then test using the compute_create utility: $ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 Some example range transitions are: User Permitted Range | Network Device Label | Computed Label ---------------------|----------------------|---------------- s0-s1:c0.c12 | s0 | s0 s0-s1:c0.c12 | s0-s1:c0.c1023 | s0-s1:c0.c12 s0-s4:c0.c512 | s1-s1:c0.c1023 | s1-s1:c0.c512 s0-s15:c0,c2 | s4-s6:c0.c128 | s4-s6:c0,c2 s0-s4 | s2-s6 | s2-s4 s0-s4 | s5-s8 | INVALID s5-s8 | s0-s4 | INVALID Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com> |
||
|---|---|---|
| checkpolicy | ||
| dbus | ||
| gui | ||
| libselinux | ||
| libsemanage | ||
| libsepol | ||
| mcstrans | ||
| policycoreutils | ||
| python | ||
| restorecond | ||
| sandbox | ||
| scripts | ||
| secilc | ||
| semodule-utils | ||
| .gitignore | ||
| .travis.yml | ||
| CleanSpec.mk | ||
| CONTRIBUTING.md | ||
| Makefile | ||
| README | ||
Please submit all bug reports and patches to selinux@vger.kernel.org. Subscribe by sending "subscribe selinux" in the body of an email to majordomo@vger.kernel.org. Build dependencies on Fedora: yum install audit-libs-devel bison bzip2-devel dbus-devel dbus-glib-devel flex flex-devel flex-static glib2-devel libcap-devel libcap-ng-devel pam-devel pcre-devel python3-devel python3-setools swig xmlto redhat-rpm-config To build and install everything under a private directory, run: make DESTDIR=~/obj install install-pywrap To install as the default system libraries and binaries (overwriting any previously installed ones - dangerous!), on x86_64, run: make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel or on x86 (32-bit), run: make install install-pywrap relabel This may render your system unusable if the upstream SELinux userspace lacks library functions or other dependencies relied upon by your distribution. If it breaks, you get to keep both pieces. To install libsepol on macOS (mainly for policy analysis): cd libsepol; make PREFIX=/usr/local install This requires GNU coreutils (brew install coreutils).